A U.S. researcher is flagging a security flaw in a smartphone app that’s mandatory for all those attending the 2022 Winter Olympics, describing what he found as “nefarious and concerning.”
Jonathan Scott, lead mobile security engineer at fintech company cLabs, discovered the flaw recently after reverse-engineering both the iOS and Android versions of the My 2022 app—a tool developed by Beijing to track users’ COVID-19 health status and to provide information about the Games.
What Scott also discovered was that the AI algorithm behind the app was developed by iFlytek Co., a blacklisted Chinese tech firm known for its ties with Beijing’s human rights abuses in China’s far-western Xinjiang region.
In an interview with EpochTV’s “China Insider” program, Scott explained the flaw: The app listens to all audio and when it detects a user saying words deemed sensitive by Beijing, it collects the audio and sends it to servers in China for analysis.
The app automatically moves to the phone’s foreground once it’s triggered by sensitive words, even if the phone’s user leaves the app in the background, according to Scott.
“It’s an invasive application,” he said.
As for what these sensitive words are, Scott said they’re the words that make up a censorship keyboard list previously reported by the Citizen Lab. The list serves what he called a “wake-up feature” to trigger the app’s recording function.
The Citizen Lab, a research institute at the University of Toronto, released its digital forensic analysis on Jan. 18, discovering that the app’s encryption to protect users’ audio files and health and customs forms can be vulnerable to hackers.
The analysis also found that the app has the ability to censor 2,442 blacklisted words considered “politically sensitive in China.” It concluded that the list was inactive on the app—contrary to what Scott found.
“I’m fairly confident they did not decrypt the iOS application, so they couldn’t actually see these functions happening. Because it’s very evident once you’ve decrypted the iOS application,” Scott said about the discrepancy.
Scott said the code of his research is available for people to see at his GitHub repository, and he will release a full report on his findings.
In October 2019, the Trump administration placed iFlytek and 27 other Chinese companies and public security bureaus on a U.S. Commerce Department blacklist.
The department’s filing said the “entities have been implicated in human rights violations and abuses in the implementation of China’s campaign of repression, mass arbitrary detention, and high-technology surveillance against Uyghurs, Kazakhs, and other members of Muslim minority groups.”
Several Western governments, including the United States and the United Kingdom, have determined that the Chinese regime’s policies in Xinjiang amount to genocide. An estimated 1 million people, most of them Uyghurs, are currently being detained in internment camps where they’re known to be subjected to abuses that include forced sterilization, forced abortion, rape, torture, forced labor, and the removal of children from their families.
“It is exactly this type of behavior that got them blacklisted. It’s the monitoring of people. … It’s the human rights violation as it pertains to data privacy, that’s what it came down to,” Scott said.
The question now becomes whether the app should be available on Google and Apple’s app stores.
“For Apple and Google to allow a blacklisted company to actually be on even Americans’ phones, I mean, there’s an issue there, right?” Scott said. “We cannot transact with them at all, but yet we’re forced to have this on our devices.”
Several countries—including Australia, Canada, the United States, and the UK—have announced diplomatic boycotts of the 2022 Winter Olympics, to be hosted by Beijing from Feb. 4 to Feb. 20.
Apple and Google didn’t respond to a request for comment by press time.